Following the recent disclosure of a massive data breach that affected nearly 40 million customers, retail giant Target has now confirmed that encrypted PIN data from card transactions was accessed by hackers.
Target, which on Dec. 23 confirmed it was working with the United States Secret Service and the Department of Justice to investigate to investigate the incident, has reversed earlier statements that PIN numbers had not been compromised in the breach.
“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” a Target spokesperson told SecurityWeek on Friday in an emailed statement.
While encrypted PIN numbers may have been accessed by attackers, Target is confident that because the information was fully encrypted, customers should not panic.
“We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the statement continued.
According to the retail giant, when a customer uses a debit card in a Target store and enters a PIN, the PIN is encrypted at the keypad using the popular Triple DES encryption standard.
Target said it does store the encryption key in its system, and that it does not have access to the encryption key used to store PIN data.
“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” the company explained.
“What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
According to Target, debit card accounts have not been compromised due to the encrypted PIN numbers being taken.
Related: Experts Debate How Hackers Stole 40 Million Card Numbers from Target

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
Latest News
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
